對offline explorer v 1.9的簡單破解 (17千字)

軟體下載：http://www.newhua.com/OfflineExplorer.htm
軟體介紹：相當方便使用的離線瀏覽工具，可排定抓取時間、設定Proxy，也可選擇抓取的專案及大小，可自設下載的存放位置、及存放的空間限制。它內建瀏覽程式、可直接瀏覽或是使用自己喜歡的瀏覽器來瀏覽、且更可直接以全瀏覽窗切換來作網上瀏覽，另它對於抓取的網站更有MAP的提供、可更清楚整個網站的連結及目錄結構。
工具：W32DASM HIEW.EXE SICE
安裝好程式後，把時間調前一個月，則出現註冊提示，隨便填個使用者名稱、系列號，按“確定”出現"Sorry, registration information...... ",記下來。
用W32DASM反彙編，在串式參考中查到"Sorry, registration information "雙擊則來到下面。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DDFEA(C)
|
:004DE0FE 6A10 push 00000010
:004DE100 8D4DD8 lea ecx, dword ptr [ebp-28]
:004DE103 8B06 mov eax, dword ptr [esi]
:004DE105 8B80F8040000 mov eax, dword ptr [eax+000004F8]
:004DE10B BA07000000 mov edx, 00000007
:004DE110 E8D3D7F9FF call 0047B8E8
:004DE115 FF75D8 push [ebp-28]
:004DE118 68DCE14D00 push 004DE1DC
:004DE11D 8B06 mov eax, dword ptr [esi]
:004DE11F 8B80F8040000 mov eax, dword ptr [eax+000004F8]
:004DE125 8B4040 mov eax, dword ptr [eax+40]
:004DE128 33D2 xor edx, edx
:004DE12A E809D2F9FF call 0047B338
:004DE12F 0FB7C0 movzx eax, ax
:004DE132 8D55D4 lea edx, dword ptr [ebp-2C]
:004DE135 E842B5F2FF call 0040967C
:004DE13A FF75D4 push [ebp-2C]
:004DE13D 68E8E14D00 push 004DE1E8
:004DE142 8B06 mov eax, dword ptr [esi]
:004DE144 8B80F8040000 mov eax, dword ptr [eax+000004F8]
:004DE14A 8B4040 mov eax, dword ptr [eax+40]
:004DE14D BA01000000 mov edx, 00000001
:004DE152 E8E1D1F9FF call 0047B338
:004DE157 0FB7C0 movzx eax, ax
:004DE15A 8D55D0 lea edx, dword ptr [ebp-30]
:004DE15D E81AB5F2FF call 0040967C
:004DE162 FF75D0 push [ebp-30]
:004DE165 68DCE14D00 push 004DE1DC
:004DE16A 8D4DCC lea ecx, dword ptr [ebp-34]
:004DE16D 8B06 mov eax, dword ptr [esi]
:004DE16F 8B80F8040000 mov eax, dword ptr [eax+000004F8]
:004DE175 BA09000000 mov edx, 00000009
:004DE17A E869D7F9FF call 0047B8E8
:004DE17F FF75CC push [ebp-34]
:004DE182 8D45DC lea eax, dword ptr [ebp-24]
:004DE185 BA07000000 mov edx, 00000007
:004DE18A E82160F2FF call 004041B0
:004DE18F 8B45DC mov eax, dword ptr [ebp-24]
:004DE192 E81D61F2FF call 004042B4
:004DE197 8BC8 mov ecx, eax

* Possible StringData Ref from Code Obj ->"Sorry, registration information "
->"is invalid."
|
:004DE199 BA08E24D00 mov edx, 004DE208 //我們停在這裡
:004DE19E A1DC865200 mov eax, dword ptr [005286DC]
:004DE1A3 8B00 mov eax, dword ptr [eax]
:004DE1A5 E8BA58F7FF call 00453A64

往上看，原來是從4DDFDE處跳來，好的我們來到此處
:004DDFDB 8D4DF8 lea ecx, dword ptr [ebp-08]
:004DDFDE 8D55FC lea edx, dword ptr [ebp-04] *這幾個語句有夠經
:004DDFE1 8B06 mov eax, dword ptr [esi] *典的。
:004DDFE3 E810850200 call 005064F8 *關鍵，進去看看
:004DDFE8 84C0 test al, al *
:004DDFEA 0F840E010000 je 004DE0FE *若al=0,則失敗。
:004DDFF0 8B06 mov eax, dword ptr [esi]
:004DDFF2 C680DC06000001 mov byte ptr [eax+000006DC], 01
:004DDFF9 8B06 mov eax, dword ptr [esi]
:004DDFFB 05E0060000 add eax, 000006E0

進入call 005064f8
* Referenced by a CALL at Addresses:
|:004DDFE3 , :0050C5E6 , :0050C609 經用SICE跟蹤，幾處CALL分別在註冊、啟動、時間變化時呼叫
|
:005064F8 55 push ebp
:005064F9 8BEC mov ebp, esp
:005064FB 6A00 push 00000000
:005064FD 6A00 push 00000000
:005064FF 6A00 push 00000000
:00506501 6A00 push 00000000
:00506503 53 push ebx
:00506504 56 push esi
:00506505 8BF1 mov esi, ecx
:00506507 8BDA mov ebx, edx
:00506509 33C0 xor eax, eax
:0050650B 55 push ebp
:0050650C 68136B5000 push 00506B13
:00506511 64FF30 push dword ptr fs:[eax]
:00506514 648920 mov dword ptr fs:[eax], esp
:00506517 C645FF00 mov [ebp-01], 00
:0050651B 8B16 mov edx, dword ptr [esi]

* Possible StringData Ref from Code Obj ->"dqma" //從這裡開紿比較你的使用者名稱、系列號是否在黑名單上，如在則玩完。 |
:0050651D B82C6B5000 mov eax, 00506B2C
:00506522 E8B5DEEFFF call 004043DC
:00506527 85C0 test eax, eax
:00506529 7E11 jle 0050653C
:0050652B 8BD6 mov edx, esi
:0050652D 8BC3 mov eax, ebx
:0050652F E87CF9FFFF call 00505EB0
:00506534 8845FF mov byte ptr [ebp-01], al
:00506537 E9BC050000 jmp 00506AF8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506529(C)
|
:0050653C 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Henry Wiking"
|
:0050653E BA3C6B5000 mov edx, 00506B3C
:00506543 E8B8DCEFFF call 00404200
:00506548 0F84AA050000 je 00506AF8
:0050654E 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Harold Bishop"
|
:00506550 BA546B5000 mov edx, 00506B54
:00506555 E8A6DCEFFF call 00404200
:0050655A 0F8498050000 je 00506AF8
:00506560 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Roy Overstreet"
|
:00506562 BA6C6B5000 mov edx, 00506B6C
:00506567 E894DCEFFF call 00404200
:0050656C 0F8486050000 je 00506AF8
:00506572 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Menson inc."
|
:00506574 BA846B5000 mov edx, 00506B84
:00506579 E882DCEFFF call 00404200
:0050657E 0F8474050000 je 00506AF8
:00506584 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"James N. Hawkins"
|
:00506586 BA986B5000 mov edx, 00506B98
:0050658B E870DCEFFF call 00404200
:00506590 0F8462050000 je 00506AF8
:00506596 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"abdalsalam s"
|
:00506598 BAB46B5000 mov edx, 00506BB4
:0050659D E85EDCEFFF call 00404200
:005065A2 0F8450050000 je 00506AF8
:005065A8 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"tom jones"
|
:005065AA BACC6B5000 mov edx, 00506BCC
:005065AF E84CDCEFFF call 00404200
:005065B4 0F843E050000 je 00506AF8
:005065BA 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Craig Suharsono"
|
:005065BC BAE06B5000 mov edx, 00506BE0
:005065C1 E83ADCEFFF call 00404200
:005065C6 0F842C050000 je 00506AF8
:005065CC 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Hidehiro nakatsugawa"
|
:005065CE BAF86B5000 mov edx, 00506BF8
:005065D3 E828DCEFFF call 00404200
:005065D8 0F841A050000 je 00506AF8
:005065DE 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Mike's Pro Shop"
|
:005065E0 BA186C5000 mov edx, 00506C18
:005065E5 E816DCEFFF call 00404200
:005065EA 0F8408050000 je 00506AF8
:005065F0 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"li lu"
|
:005065F2 BA306C5000 mov edx, 00506C30
:005065F7 E804DCEFFF call 00404200
:005065FC 0F84F6040000 je 00506AF8
:00506602 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Global Disaster Sofware"
|
:00506604 BA406C5000 mov edx, 00506C40
:00506609 E8F2DBEFFF call 00404200
:0050660E 0F84E4040000 je 00506AF8
:00506614 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Ellis Wang"
|
:00506616 BA606C5000 mov edx, 00506C60
:0050661B E8E0DBEFFF call 00404200
:00506620 0F84D2040000 je 00506AF8
:00506626 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"frank stein"
|
:00506628 BA746C5000 mov edx, 00506C74
:0050662D E8CEDBEFFF call 00404200
:00506632 0F84C0040000 je 00506AF8
:00506638 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"none"
|
:0050663A BA886C5000 mov edx, 00506C88
:0050663F E8BCDBEFFF call 00404200
:00506644 0F84AE040000 je 00506AF8
:0050664A 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Peter Baudman"
|
:0050664C BA986C5000 mov edx, 00506C98
:00506651 E8AADBEFFF call 00404200
:00506656 0F849C040000 je 00506AF8
:0050665C 8B03 mov eax, dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Guadalupe Serrano Espinoza"
：
：
由於名單和系列號太多了，此處略過
:
:00506A02 FF33 push dword ptr [ebx]

* Possible StringData Ref from Code Obj ->"Single"
|
:00506A04 6858705000 push 00507058
:00506A09 8D45F8 lea eax, dword ptr [ebp-08]
:00506A0C BA03000000 mov edx, 00000003
:00506A11 E89AD7EFFF call 004041B0
:00506A16 BB01000000 mov ebx, 00000001
:00506A1B EB29 jmp 00506A46

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506A4F(C)
|從這裡開始對輸入的使用者名稱和系列號進行處理
:00506A1D 8B06 mov eax, dword ptr [esi]
:00506A1F 8A4418FF mov al, byte ptr [eax+ebx-01]
:00506A23 04D0 add al, D0
:00506A25 2C0A sub al, 0A
:00506A27 721C jb 00506A45
:00506A29 04F9 add al, F9
:00506A2B 2C1A sub al, 1A
:00506A2D 7216 jb 00506A45
:00506A2F 04FA add al, FA
:00506A31 2C1A sub al, 1A
:00506A33 7210 jb 00506A45
:00506A35 8BC6 mov eax, esi
:00506A37 B901000000 mov ecx, 00000001
:00506A3C 8BD3 mov edx, ebx
:00506A3E E8F5D8EFFF call 00404338
:00506A43 EB01 jmp 00506A46

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00506A27(C), :00506A2D(C), :00506A33(C)
|
:00506A45 43 inc ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00506A1B(U), :00506A43(U)
|
:00506A46 8B06 mov eax, dword ptr [esi]
:00506A48 E8A3D6EFFF call 004040F0
:00506A4D 3BD8 cmp ebx, eax
:00506A4F 7ECC jle 00506A1D
:00506A51 BAC163D306 mov edx, 06D363C1
:00506A56 8B45F8 mov eax, dword ptr [ebp-08]
:00506A59 E8227BF7FF call 0047E580
:00506A5E 8D55F4 lea edx, dword ptr [ebp-0C]
:00506A61 E83AF2FFFF call 00505CA0
:00506A66 BB01000000 mov ebx, 00000001
:00506A6B EB2B jmp 00506A98

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506AA2(C)
|
:00506A6D 8B45F4 mov eax, dword ptr [ebp-0C]
:00506A70 8A4418FF mov al, byte ptr [eax+ebx-01]
:00506A74 04D0 add al, D0
:00506A76 2C0A sub al, 0A
:00506A78 721D jb 00506A97
:00506A7A 04F9 add al, F9
:00506A7C 2C1A sub al, 1A
:00506A7E 7217 jb 00506A97
:00506A80 04FA add al, FA
:00506A82 2C1A sub al, 1A
:00506A84 7211 jb 00506A97
:00506A86 8D45F4 lea eax, dword ptr [ebp-0C]
:00506A89 B901000000 mov ecx, 00000001
:00506A8E 8BD3 mov edx, ebx
:00506A90 E8A3D8EFFF call 00404338
:00506A95 EB01 jmp 00506A98

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00506A78(C), :00506A7E(C), :00506A84(C)
|
:00506A97 43 inc ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00506A6B(U), :00506A95(U)
|
:00506A98 8B45F4 mov eax, dword ptr [ebp-0C]
:00506A9B E850D6EFFF call 004040F0
:00506AA0 3BD8 cmp ebx, eax
:00506AA2 7EC9 jle 00506A6D
:00506AA4 8B06 mov eax, dword ptr [esi]
:00506AA6 8B55F4 mov edx, dword ptr [ebp-0C]
:00506AA9 E852D7EFFF call 00404200
:00506AAE 0F9445FF sete byte ptr [ebp-01]
:00506AB2 807DFF00 cmp byte ptr [ebp-01], 00
:00506AB6 7440 je 00506AF8
:00506AB8 C645FF00 mov [ebp-01], 00
:00506ABC BAC163D306 mov edx, 06D363C1
:00506AC1 8B45F8 mov eax, dword ptr [ebp-08]
:00506AC4 E8B77AF7FF call 0047E580
:00506AC9 8D55F0 lea edx, dword ptr [ebp-10]
:00506ACC E8CFF1FFFF call 00505CA0
:00506AD1 8B45F0 mov eax, dword ptr [ebp-10]
:00506AD4 E84FF9FFFF call 00506428
:00506AD9 83F8FF cmp eax, FFFFFFFF
:00506ADC 741A je 00506AF8
:00506ADE BB91080000 mov ebx, 00000891

* Possible StringData Ref from Data Obj ->"?"
|
:00506AE3 BA10525200 mov edx, 00525210

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506AF6(C)
|
:00506AE8 3B02 cmp eax, dword ptr [edx]
:00506AEA 7506 jne 00506AF2
:00506AEC C645FF01 mov [ebp-01], 01
:00506AF0 EB06 jmp 00506AF8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506AEA(C)
|
:00506AF2 83C204 add edx, 00000004
:00506AF5 4B dec ebx
:00506AF6 75F0 jne 00506AE8

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00506537(U), :00506548(C), :0050655A(C), :0050656C(C), :0050657E(C)
|:00506590(C), :005065A2(C), :005065B4(C), :005065C6(C), :005065D8(C)
|:005065EA(C), :005065FC(C), :0050660E(C), :00506620(C), :00506632(C)
|:00506644(C), :00506656(C), :00506668(C), :0050667A(C), :0050668C(C)
|:0050669E(C), :005066B0(C), :005066C2(C), :005066D4(C), :005066E6(C)
|:005066F8(C), :0050670A(C), :0050671C(C), :0050672E(C), :00506740(C)
|:00506752(C), :00506764(C), :00506776(C), :00506788(C), :0050679A(C)
|:005067AC(C), :005067BE(C), :005067D0(C), :005067E2(C), :00506801(C)
|:00506816(C), :0050682B(C), :0050683E(C), :00506853(C), :00506868(C)
|:0050687D(C), :00506892(C), :005068A7(C), :005068BC(C), :005068D1(C)
|:005068E6(C), :005068FB(C), :00506910(C), :00506925(C), :0050693A(C)
|:0050694F(C), :00506964(C), :00506979(C), :0050698E(C), :005069A3(C)
|:005069B8(C), :005069CD(C), :005069E2(C), :005069F7(C), :00506AB6(C)
|:00506ADC(C), :00506AF0(U)
|
:00506AF8 33C0 xor eax, eax //失敗的話，則eax=0
:00506AFA 5A pop edx
:00506AFB 59 pop ecx
:00506AFC 59 pop ecx
:00506AFD 648910 mov dword ptr fs:[eax], edx
:00506B00 681A6B5000 push 00506B1A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00506B18(U)
|
:00506B05 8D45F0 lea eax, dword ptr [ebp-10]
:00506B08 BA03000000 mov edx, 00000003
:00506B0D E882D3EFFF call 00403E94
:00506B12 C3 ret

程式的修改很簡單：在call 005064f8開始處即：
:005064F8 55 push ebp
:005064F9 8BEC mov ebp, esp
:005064FB 6A00 push 00000000
:005064FD 6A00 push 00000000
直接改成2條語句：① 　mov eax,1
② retn
至此程式完全破解，無論你用什麼名註冊均成功，時間如何變化也不會過期了。此法對v1.9 pro 同樣適用.
以上有不妥之處請各位一定要指出.

在此謝謝blowfish的提示。

對offline explorer v 1.9的簡單破解 (17千字)

相關文章